[Cryptography] What to put in a new cryptography course

Ray Dillinger bear at sonic.net
Thu Jul 7 17:15:46 EDT 2016 


On 07/06/2016 09:47 AM, Stephan Neuhaus wrote:

> Other than that, I've tried to find a way to teach ECC, but couldn't, at
> least not at the undergrad level.

If one is to teach ECC at the undergrad level, one must have students
who have already studied group theory.  That's reasonable for math
majors and mathematical cryptographers, but in computer science ECC is
almost the only thing it will enable.  CS needs set theory, logic,
statistics and algebra absolutely.  It benefits greatly from geometry,
trigonometry and calculus/differential equations. But outside of
cryptography though it gets almost nothing for number theory, and
outside of ECC it gets almost nothing for group theory.  The closest we
get to group theory in ordinary CS is modular mathematics, and we never
do modular geometry or trig.

I get the _mechanics_ of ECC as "geometry of lines tangent to curves in
modular coordinate systems"  but what makes a particular curve secure or
insecure in a particular modular coordinate system?

THAT, and that alone, is the crucial question for understanding ECC, and
that is the question most resolutely ignored in all the introductory
material I've seen in ECC.

Where do the modular coordinates, geometry, and trigonometry boil down
to an algebra problem in a form I know a good reason why we can't easily
solve? And can we show that any simpler formulation if one exists, would
enable an Easy solution to something we firmly believe is Hard?

It's like that old problem with RSA;  You can use any solution to
factoring to solve it, so we know it's no harder than factoring.  If we
could also use any solution to RSA to solve factoring, we'd also know
that it's no easier.  What are the analogous arguments in ECC?

I don't really know, and as a result I'm suspicious and superstitious
about ECC.  About curves selected for efficiency for example.

I get ECC mechanics but without understanding the mathematics of ECC
security very well, I worry about those "efficient" compute properties
and whether they may pertain to unanticipated attacks.  No one has ever
tried to explain to me why there's nothing to fear in these "efficient"
curves, beyond making an appeal to authority or a bald assertion that
there isn't.   Without answers no one seems willing to give to the
crucial questions I posed above, I can't check  that assertion.

So my suspicious-bastard side required to do cryptography runs up
against my fear-of-of-the-unknown in group theory and results in
suspicion of the seeming shortcuts in ECC.

Were you planning a course that addressed the arguments-for-security of
ECC, or just another course on how to do the mechanics?  Because I don't
think we actually need another course on how to do the mechanics; that's
out there already.

				Bear

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 819 bytes
Desc: OpenPGP digital signature
URL: <http://www.metzdowd.com/pipermail/cryptography/attachments/20160707/b2abc2bd/attachment.sig>

More information about the cryptography mailing list